Windows logon script launch service

0

I want to create login script (win 10 pro) that would star/stop synergy service on logon / logout for specific user.

Problem is that "net start synergy" give access denied 5, since it is not executed from elevated user.

So... is there any workaround that I could use?!

------------ SOLUTION --------------

I used subinacl tool (from Microsoft) to grant user right to start/stop/pause Synergy service

subinacl.exe /service Synergy /grant=KitchenComputer\reinis-ubnt=PTO

Then I used Task scheduler and created two tasks. One tasks was triggered by workstation lock other by workstation unlock (there are such triggers!!!). Then I created simple shell script to stop service with "net stop synergy". To start service I used these shell commands:

if %username% == reinis-ubnt (
net start Synergy
)

Regarding subinacl and granting user right to launch service I relied on this resource - http://woshub.com/set-permissions-on-windows-service/

Thank you superuser for support!!!

0xDEAD BEEF

Posted 2018-01-27T16:39:40.317

Reputation: 201

If you change the service to automatic, or delayed, it should automatically start. No need to script anything. – LPChip – 2018-01-27T17:13:42.667

I want this service to start / stop for specific user only. – 0xDEAD BEEF – 2018-01-27T17:16:47.440

Answers

1

This answer will cover stopping the process for the user. It will also allow you to implement steps to run the service as requested, using the runas command (assuming the "Non-Admin" account is authorized to execute Powershell/CMD)

If you're using a local PC (as in, you're not a member of a domain), you can implement a "Task Schedule" for Logon, and execute is as another user, which can be explained here. If you specify this to run "as another user, and with highest privileges, you should be capable of editing the service on start.

If this is too dificult (or, the user logging in to the PC is an administrator), you could elevate a PowerShell script to be run as an admin:

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}

Source

Note: I know you said the user is not an admin, but this could help others, hence why I added it.

If we're real lazy, we could use the runas command within the PowerShell/batch script we want to implement, however would need to store credentials in a secure process (as in,not plain text).

Local Group Policy Editor

Simply add a Computer Side Startup/Shutdown script to call and stop the service:

  1. runas to run the gpedit.msc file;
  2. Computer Configuration, Windows Settings, Scripts (Startup/Shutdown)

  3. Add predefined script to execute file:

    runas.exe /user:localhost\Admnistrator net start synergy

DankyNanky

Posted 2018-01-27T16:39:40.317

Reputation: 489

Asked: 2018-01-27T16:39:40.317

Viewed: 1 161 times

Active: 2018-01-27T17:34:41.817